How do I allow a .NET Core console app FTP connection through Windows Firewall?

5
votes

I have a .NET Core console app that downloads files from an FTP server and processes them. I moved the app onto a new server, and it stopped working. Disabling Windows Firewall on the new server solves the problem, but obviously I don't want to leave it wide open - I need a targeted way of enabling this app. FTP traffic seems to already be allowed (inbound and outbound) by the default firewall rules, so I don't know which additional ports could be opened (I think I'm using active FTP, which can use a broad port range AFAIK). I would prefer to whitelist the application, but it is not an .exe file, so I'm not exactly sure which application to allow.

I run the application using a shortcut to a .bat file. The bat file contains just the following line:

dotnet "C:\path\my-application.dll"

The code on which the application fails is:

FtpWebRequest request = (FtpWebRequest)FtpWebRequest.Create(ftpServerUri);
request.UseBinary = true;
request.Credentials = new NetworkCredential(ftpUser, ftpPsw);
request.Method = WebRequestMethods.Ftp.ListDirectory;
request.Proxy = null;
request.KeepAlive = false;
request.UsePassive = false;

// hangs here forever unless Windows Firewall is turned off
FtpWebResponse response = (FtpWebResponse)await request.GetResponseAsync();

Is it possible to allow the application through the firewall? Do I allow dotnet.exe, or the .bat file, or the .dll file, or is there an alternate way of doing this? Thanks in advance for any help!

3
c#.net.net-coreftpwindows-firewall
There is a way to publish your console app so that an exe is created -> (stackoverflow.com/questions/44074121/…), you could then whitelist the exe -> one possible solution.Ryan Wilson

3 Answers

2
votes

Do not use FTP active mode. And you won't have firewall problems.

The passive mode is enabled by default for a good reason. It makes it less problematic to pass through a firewall.

Remove this line: 

request.UsePassive = false;

Read my article on network configuration needed for FTP active and passive modes.

1
votes

You can try 2 things on Win10:

  • Allow an App through Windows Firewall

Navigation Path: Control Panel\All Control Panel Items\Windows Defender Firewall\Allowed apps

Click Allow another app

On the following pop up, provide the absolute path to dotnet.exe

  • Configure Windows Defender Firewall with Advance Security with below

Navigation Path: Control Panel\All Control Panel Items\Windows Defender Firewall\ Advanced Settings

EDIT:

Turns out whitelisting did the trick.

0
votes

I may have found an answer here:

https://serverfault.com/questions/401304/active-ftp-client-blocked-by-windows-firewall-on-windows-7

Basically the solution is to go to Firewall advanced settings, and create a new inbound rule. Select Custom Rule. I applied it to All Programs (since I still don't know how to select a .Net Core app). I used protocol type: TCP, local port: All Ports, and remote port: Specific Ports 20.

The idea is that you initiate the connection on TCP port 20, and then the resulting inbound traffic is pointed at some arbitrary port, but you can determine that it is an FTP response due to the fact that the remote port is TCP port 20. So instead of opening a huge range of local ports, you open all local ports but only for a single remote port.

I will leave this open in case somebody has an answer that will help me allow the entire application, but this is a good enough solution otherwise.